Abstract
This paper shows that the advantage of any q-query adversary (which makes at most q queries) for distinguishing OMAC from a uniform random function is roughly Lq2/2n. Here L is the number of blocks of the longest query and n is the output size of the uniform random function. The so far best bound is roughly σ2/2n = O(L2q2/2n) and hence our new bound is an improved bound. Our improved security analysis also works for OMAC1 and CMAC which has been recommended by NIST as a candidate of blockcipher based MAC.
© de Gruyter 2009
This article is distributed under the terms of the Creative Commons Attribution Non-Commercial License, which permits unrestricted non-commercial use, distribution, and reproduction in any medium, provided the original work is properly cited.
